Two different security flaws affecting the customers of AT&T and T-Mobile were revealed this past week.
The security gaps could have given hackers access to customer account PINs, which would in turn allow them to potentially hijack the customers’ SIM cards. AT&T customers were left vulnerable by the insurance provider Asurion. When initiating claims through Asurion’s web site, hackers could have gleaned PINs through a form that failed to have a limit on attempts to enter the PIN correctly. This opened the door for brute-force attacks. T-Mobile customers were left vulnerable by the Apple Store app on iPhones. The issue left an opening on a web page that bridged the Apple Store with T-Mobile’s account verification system.
Similar to the Asurion issue, the Apple Store didn’t place a limit on the number of attempts for PIN entry. This also permitted a brute-force attack to guess the number. Both Asurion and Apple resolved the lapses after they were brought to their attention. The T-Mobile vulnerability left some 77 million customers exposed.
The number of customers impacted at AT&T is not known. SIM hijacking allows hackers to essentially copy the identity of a legit phone that can then be used to verify identify in apps and services that used SMS-based two-factor authentication.